Real-time vulnerability monitoring

ABSTRACT

A security information management system is described, wherein client-side devices preferably collect and monitor information describing the operating system, software, and patches installed on the device(s), as well as configuration thereof. A database of this information is maintained, along with data describing vulnerabilities of available software and associated remediation techniques available for it. The system exposes an API to support security-related decisions by other applications. For example, an intrusion detection system (IDS) accesses the database to determine whether an actual threat exists and should be (or has been) blocked.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.60/484,085. This application is also related to applications titledMULTIPLE-PATH REMEDIATION (Attorney Docket No. 36029-4),POLICY-PROTECTION PROXY (Attorney Docket No. 36029-5), VULNERABILITY ANDREMEDIATION DATABASE (Attorney Docket No. 36029-6), AUTOMATED STAGEDPATCH AND POLICY MANAGEMENT (Attorney Docket No. 36029-7), and CLIENTCAPTURE OF VULNERABILITY DATA (Attorney Docket 36029-8), all filed oneven date herewith. All of these applications are hereby incorporatedherein by reference as if fully set forth.

FIELD OF THE INVENTION

The present invention relates to computer systems, and more particularlyto management of security of computing and network devices that areconnected to other such devices.

BACKGROUND

With the growing popularity of the Internet and the increasing relianceby individuals and businesses on networked computers, network securitymanagement has become a critical function for many people. Furthermore,with computing systems themselves becoming more complex, securityvulnerabilities in a product are often discovered long after the productis released into general distribution. Improved methods are needed,therefore, for managing updates and patches to software systems, and formanaging configurations of those systems.

The security management problem is still more complex, though. Oftentechniques intended to remediate vulnerabilities (such as configurationchanges, changes to policy settings, or application of patches) addadditional problems. Sometimes patches to an operating system orapplication interfere with operation of other applications, and caninadvertently disable mission-critical services and applications of anenterprise. At other times, remediation steps open other vulnerabilitiesin software. There is, therefore, a need for improved securitymanagement techniques.

SUMMARY

One form of the present invention is a database of information about aplurality of devices, updated in real-time and used by an application tomake a security-related decision. The database stores data indicatingthe installed operating system(s), installed software, patches that havebeen applied, system policies that are in place, and configurationinformation for each device. The database answers queries by one or moredevices or applications attached by a network to facilitatesecurity-related decision making. In one form of this embodiment, afirewall or router handles a connection request or maintenance of aconnection based on the configuration information stored in the databasethat relates to one or both of the devices involved in the transmission.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a networked system of computers in oneembodiment of the present invention.

FIG. 2 is a block diagram showing components of several computingdevices in the system of FIG. 1.

FIGS. 3 and 4 trace signals that travel through the system of FIGS. 1and 2 and the present invention is applied to them.

DESCRIPTION

For the purpose of promoting an understanding of the principles of thepresent invention, reference will now be made to the embodimentillustrated in the drawings and specific language will be used todescribe the same. It will, nevertheless, be understood that nolimitation of the scope of the invention is thereby intended; anyalterations and further modifications of the described or illustratedembodiments, and any further applications of the principles of theinvention as illustrated therein are contemplated as would normallyoccur to one skilled in the art to which the invention relates.

Generally, the present invention in its preferred embodiment operates inthe context of a network as shown in FIG. 1. System 100 includes avulnerability and remediation database 110 connected by Internet 120 tosubnet 130. In this exemplary embodiment, firewall 131 serves as thegateway between Internet 120 and the rest of subnet 130. Router 133directs connections between computers 137 and each other and otherdevices on Internet 120. Server 135 collects certain information andprovides certain data services that will be discussed in further detailherein.

In particular, security server 135 includes processor 142, and memory144 encoded with programming instructions executable by processor 142 toperform several important security-related functions. For example,security server 135 collects data from devices 131, 133, 137, and 139,including the software installed on those devices, their configurationand policy settings, and patches that have been installed. Securityserver 135 also obtains from vulnerability and remediation database 110a regularly updated list of security vulnerabilities in software for awide variety of operating systems, and even in the operating systemsthemselves. Security server 135 also downloads a regularly updated listof remediation techniques that can be applied to protect a device fromdamage due to those vulnerabilities. In a preferred embodiment, eachvulnerability in remediation database 110 is identified by avulnerability identifier, and the vulnerability identifier can be usedto retrieve remediation information from database 110 (and from database146, discussed below in relation to FIG. 2).

In this preferred embodiment, computers 137 and 139 each comprise aprocessor 152, 162, memory 154, 164, and storage 156, 166. Computer 137executes a client-side program (stored in storage 156, loaded intomemory 154, and executed by processor 152) that maintains an up-to-datecollection of information regarding the operating system, service pack(if applicable), software, and patches installed on computer 137, andthe policies and configuration data (including configuration files, andelements that may be contained in files, such as *.ini and *.conf filesand registry information, for example), and communicates thatinformation on a substantially real- time basis to security server 135.In an alternative embodiment, the collection of information is notretained on computer 137, but is only communicated once to securityserver 135, then is updated in real time as changes to that collectionoccur.

Computer 139 stores, loads, and executes a similar software program thatcommunicates configuration information pertaining to computer 139 tosecurity server 135, also substantially in real time. Changes to theconfiguration registry in computer 139 are monitored, and selectedchanges are communicated to security server 135 so that relevantinformation is always available. Security server 135 may connectdirectly to and request software installation status and configurationinformation from firewall 131 and router 133, for embodiments whereinfirewall 131 and router 133 do not have a software program executing onthem to communicate this information directly.

This collection of information is made available at security server 135,and combined with the vulnerability and remediation data from source110. The advanced functionality of system 100 is thereby enabled asdiscussed further herein.

Turning to FIG. 2, one sees additional details and components of thedevices in subnet 130. Computers 137 and 139 are traditional client orserver machines, each having a processor 152, 162, memory 154, 164, andstorage 156, 166. Firewall 131 and router 133 also have processors 172,182 and storage 174, 184, respectively, as is known in the art. In thisembodiment, devices 137 and 139 each execute a client-side program thatcontinuously monitors the software installation and configuration statusfor that device. Changes to that status are communicated insubstantially real time to security server 135, which continuouslymaintains the information in database 146. Security server 135 connectsdirectly to firewall 131 and router 133 to obtain software installationand configuration status for those devices in the absence of aclient-side program running thereon.

Processors 142, 152, 162 may each be comprised of one or more componentsconfigured as a single unit. Alternatively, when of a multi-componentform, processor 142, 152, 162 may each have one or more componentslocated remotely relative to the others. One or more components ofprocessor 142, 152, 162 may be of the electronic variety definingdigital circuitry, analog circuitry, or both. In one embodiment,processor 142, 152, 162 are of a conventional, integrated circuitmicroprocessor arrangement, such as one or more PENTIUM 4 or XEONprocessors from INTEL Corporation of 2200 Mission College Boulevard,Santa Clara, Calif., 95052, USA, or ATHLON XP processors from AdvancedMicro Devices, One AMD Place, Sunnyvale, Calif., 94088, USA.

Memories 144, 154, 164 may include one or more types of solid-stateelectronic memory, magnetic memory, or optical memory, just to name afew. By way of non-limiting example, memory 40b may include solid-stateelectronic Random Access Memory (RAM), Sequentially Accessible Memory(SAM) (such as the First-In, First-Out (FIFO) variety or the Last-InFirst-Out (LIFO) variety), Programmable Read Only Memory (PROM),Electrically Programmable Read Only Memory (EPROM), or ElectricallyErasable Programmable Read Only Memory (EEPROM); an optical disc memory(such as a DVD or CD ROM); a magnetically encoded hard drive, floppydisk, tape, or cartridge media; or a combination of any of these memorytypes. Also, memories 144, 154, 164 may be volatile, nonvolatile, or ahybrid combination of volatile and nonvolatile varieties.

In this exemplary embodiment, storage 146, 156, 166 comprises one ormore of the memory types just given for memories 144, 154, 164,preferably selected from the non-volatile types.

This collection of information is used by system 100 in a wide varietyof ways. With reference to FIG. 3, assume for example that a connectionrequest 211 arrives at firewall 131 requesting that data be transferredto computer 137. The payload of request 211 is, in this example, a proberequest for a worm that takes advantage of a particular securityvulnerability in a certain computer operating system. Based oncharacteristics of the connection request 211, firewall 131 sends aquery 213 to security server 135. Query 213 includes information thatsecurity server 135 uses to determine (1) the intended destination ofconnection request 211, and (2) some characterization of the payload ofconnection request 211, such as a vulnerability identifier. Securityserver 135 uses this information to determine whether connection request211 is attempting to take advantage of a particular known vulnerabilityof destination machine 137, and uses information from database 146 (seeFIG. 2) to determine whether the destination computer 137 has thevulnerable software installed, and whether the vulnerability has beenpatched on computer 137, or whether computer 137 has been configured soas to be invulnerable to a particular attack.

Security server 135 sends result signal 217 back to firewall 131 with anindication of whether the connection request should be granted orrejected. If it is to be granted, firewall 131 passes the request torouter 133 as request 219, and router 133 relays the request as request221 to computer 137, as is understood in the art. If, on the other hand,signal 217 indicates that connection request 211 is to be rejected,firewall 133 drops or rejects the connection request 211 as isunderstood in the art.

Analogous operation can protect computers within subnet 130 fromcompromised devices within subnet 130 as well. For example, FIG. 4illustrates subnet 130 with computer 137 compromised. Under the controlof a virus or worm, for example, computer 137 sends connection attempt231 to router 133 in an attempt to probe or take advantage of apotential vulnerability in computer 139. On receiving connection request231, router 133 sends relevant information about request 231 in a query233 to security server 135. Similarly to the operation discussed abovein relation to FIG. 3, security server 135 determines whether connectionrequest 231 poses any threat, and in particular any threat to softwareon computer 139. If so, security server 135 determines whether thevulnerability has been patched, and if not, it determines whethercomputer 139 has been otherwise configured to avoid damage due to thatvulnerability. Security server 135 replies with signal 235 to query 233with that answer. Router 133 uses response 235 to determine whether toallow the connection attempt.

In some embodiments, upon a determination by security server 135 that aconnection attempt or other attack has occurred against a computer thatis vulnerable (based on its current software, patch, policy, andconfiguration status), security server 135 selects one or moreremediation techniques from database 146 that remediate the particularvulnerability. Based on a prioritization previously selected by anadministrator or the system designer, the remediation technique(s) areapplied (1) to the machine that was attacked, (2) to all devices subjectto the same vulnerability (based on their real-time software, patch,policy, and configuration status), or (3) to all devices to which theselected remediation can be applied.

In various embodiments, remediation techniques include the closing ofopen ports on the device; installation of a patch that is known tocorrect the vulnerability; changing the device's configuration;stopping, disabling, or removing services; setting or modifyingpolicies; and the like. Furthermore, in various embodiments, events andactions are logged (preferably in a non-volatile medium) for lateranalysis and review by system administrators. In these embodiments, thelog also stores information describing whether the target device wasvulnerable to the attack.

A real-time status database according to the present invention has manyother applications as well. In some embodiments, the database 146 ismade available to an administrative console running on security server135 or other administrative terminal. When a vulnerability is newlydiscovered in software that exists in subnet 130, administrators canimmediately see whether any devices in subnet 130 are vulnerable to it,and if so, which ones. If a means of remediation of the vulnerability isknown, the remediation can be selectively applied to only those devicessubject to the vulnerability.

In some embodiments, the database 146 is integrated into another device,such as firewall 131 or router 133, or an individual device on thenetwork. While some of these embodiments might avoid some failures dueto network instability, they substantially increase the complexity ofthe device itself. For this reason, as well as the complexity ofmaintaining security database functions when integrated with otherfunctions, the network-attached device embodiment described above inrelation to FIGS. 1-4 is preferred.

In a preferred embodiment, a software development kit (SDK) allowsprogrammers to develop security applications that access the datacollected in database 146. The applications developed with the SDKaccess information using a defined application programming interface(API) to retrieve vulnerability, remediation, and device statusinformation available to the system. The applications then makesecurity-related determinations and are enabled to take certain actionsbased on the available data.

In these exemplary systems, “configuration information” for each devicemay take the form of initialization files (often named *.ini or *.conf),configuration registry (such as the Windows Registry on MicrosoftWINDOWS operating systems), or configuration data held in volatile ornon-volatile memory. Such configuration information often determineswhat and how data is accepted from other devices, sent to other devices,processed, stored, or otherwise handled, and in many cases determineswhat routines and sub-routines are executed in a particular applicationor operating system.

All publications, prior applications, and other documents cited hereinare hereby incorporated by reference in their entirety as if each hadbeen individually incorporated by reference and fully set forth.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, the same is to be considered asillustrative and not restrictive in character, it being understood thatonly the preferred embodiments have been shown and described and thatall changes and modifications that would occur to one skilled in therelevant art are desired to be protected.

1. A system, comprising: a plurality of computing devices, eachcomprising a processor and memory, wherein the memory is encoded withprogramming instructions executable by the processor; a database ofdevice status information that characterizes zero or morevulnerabilities to which each of the computing devices is subject,wherein the device status information is kept current in substantiallyreal time; and an application that transmits a query signal to thedatabase; receives a result signal, responsive to the query signal, fromthe database; and makes a security-related determination based on theresult signal.
 2. The system of claim 1, wherein the application is anintrusion detection system, and the security-related determination iswhether to produce a signal indicating that an intrusion attempt hasoccurred.
 3. The system of claim 1, wherein: the application is selectedfrom the group of applications consisting of a firewall, a proxy, and arouter; and the security-related determination is whether to allow aconnection to pass.
 4. The system of claim 1, wherein thesecurity-related determination is selected from the group consisting of:whether to block a connection attempt; whether to pass a communicationfrom one device to another through a network; and whether to permitsoftware to be installed.
 5. The system of claim 4, wherein theconnection attempt is a request from an external device to connect withat least one of the plurality of computing devices.
 6. The system ofclaim 4, wherein the connection attempt is a request from one of thecomputing devices to connect with another of the computing devices. 7.The system of claim 1, wherein the query signal and the result signalare each transmitted over a network.
 8. The system of claim 1, whereinfor at least one of the plurality of computing devices, the devicestatus information is kept current by a software agent executed by theprocessor of each of the at least one of the plurality of computingdevices.
 9. The system of claim 8, wherein: a set of programminginstructions for the software agent is encoded in the memory of the atleast one computing device; and the set of programming instructions isexecuted by the processor of the at least one computing device.
 10. Thesystem of claim 1, wherein a single computing device hosts the databaseof device status information and the application.
 11. The system ofclaim 10, wherein the single computing device is not in the plurality ofcomputing devices.
 12. A method, comprising: transferring data includingdevice status information from at least one client computer to a serverincorporating a database in substantially real time; receiving aconnection request at an application; transmitting a query signal fromthe application to the server, the query signal including informationcharacterizing the connection request; transmitting a result signal,responsive to the query signal, from the server to the application; andmaking and executing a security-related determination relating to theconnection request, wherein the determination is made as a function ofthe information in the query signal and data in the database.
 13. Themethod of claim 12, wherein the determination is to block the connectionrequest.
 14. The method of claim 12, wherein the determination is madeby the application based on the result signal.
 15. The method of claim12, wherein: the determination is made by the server; the determinationis reflected by information in the result signal; and the executing isperformed by the application.
 16. The method of claim 12, wherein: theapplication is an intrusion detection system; and the determination isto produce a signal indicating that an intrusion attempt has occurred.17. The method of claim 12, wherein for each of the at least one clientcomputers, the database includes: information that characterizes zero ormore vulnerabilities to which the client computer is subject; dataidentifying an operating system, software, and patches installed on theclient computer; software security information associated with theoperating system, software, and patches; and data characterizing thesystem policy settings and configuration data on the client computer.18. The method of claim 12, further comprising transferring a datastream including vulnerability remediation information from at least onevulnerability remediation database to the server.
 19. The method ofclaim 18, wherein the data stream includes: data characterizing securityvulnerabilities for one or more operating systems; and vulnerabilityremediation information, the vulnerability remediation informationincluding vulnerability remediation techniques for the securityvulnerabilities.
 20. The method of claim 19, further comprising:selecting a remediation technique for a vulnerability of the at leastone client computer; and applying the selected vulnerability remediationtechnique, wherein the selecting is performed by the server, and theapplying is performed by the at least one client computer.
 21. Themethod of claim 12, wherein: the at least one client computer is on asubnet; and the connection request includes a request from a source thatis not on the subnet to connect with the at least one client computer.22. The method of claim 12, wherein: the plurality of computing devicesincludes a first client computer and a second client computer; and theconnection request includes a request from the first client computer toconnect with the second client computer.
 23. The method of claim 12,wherein the connection request includes a request from an externalsource to install a software program on one of the at least one clientcomputers.
 24. An apparatus, comprising a device encoded with logicexecutable by one or more processors to communicate with a database ofdevice status information to make a security-related determination,wherein: the device status information includes information representingzero or more vulnerabilities of a client computer, updated insubstantially real time; and the determination is made as a function ofthe device status information.
 25. The apparatus of claim 24, whereinthe communication with the database includes: the device transmitting aquery signal to the database; and the database transmitting a resultsignal, responsive to the query signal and containing information fromthe database, to the device.
 26. The apparatus of claim 25, wherein thedetermination is made based on the result signal.
 27. The apparatus ofclaim 24, wherein the determination is selected from the groupconsisting of: whether to block a connection attempt; whether to pass acommunication from one device to another through a network; and whetherto permit software to be installed.
 28. The apparatus of claim 24,wherein the device is an intrusion detection system, and thedetermination includes whether to produce a signal that indicates anintrusion attempt has occurred.
 29. The apparatus of claim 24, whereinthe device status information further includes information representingvulnerabilities and remediation techniques received from a vulnerabilityremediation database.
 30. The apparatus of claim 29, wherein thedetermination includes: selecting one or more remediation techniques;and remediating one or more vulnerabilities of the client computeraccording to the one or more selected techniques.
 31. A method,comprising: receiving device status information for one or morecomputing devices in substantially real time; detecting one or morevulnerabilities of the one or more computing devices based on the devicestatus information; selecting one or more remediation techniques from afirst database, the one or more remediation techniques corresponding tothe one or more detected vulnerabilities; and remediating the one ormore detected vulnerabilities according to the one or more selectedremediation techniques.
 32. The method of claim 31, wherein thereceiving, detecting, and selecting are performed by a serverincorporating the first database.
 33. The method of claim 31, wherein:the remediation techniques are initially stored in a second database;and the remediation techniques are periodically updated from the seconddatabase to the first database.
 34. The method of claim 31, wherein forat least one of the plurality of computing devices, the device statusinformation is updated in substantially real time by a software agentexecuted by a processor of the at least one computing device.
 35. Themethod of claim 34, wherein: a set of programming instructions for thesoftware agent is encoded in a memory of the at least one computingdevice; and the set of programming instructions is executed by aprocessor of the at least one computing device.
 36. A system,comprising: a plurality of computing devices, each comprising at leastone processor and memory, wherein the memory is encoded with programminginstructions executable by the processor; a database of securityinformation, wherein: the security information includes device statusinformation that characterizes zero or more vulnerabilities to whicheach of the computing devices is subject; the security information alsoincludes one or more remediation techniques; the device statusinformation is kept current in substantially real time; and the systemis operable to select remediation techniques as a function of thesecurity information and remediate vulnerabilities to which thecomputing devices are subject according to the selected remediationtechniques; and an application that makes security-relateddeterminations as a function of the security information.
 37. The systemof claim 36, wherein the application: transmits a query signal to thedatabase; receives a result signal, responsive to the query signal, fromthe database; and makes a security-related determination based on theresult signal.
 38. The system of claim 36, wherein: the application isan intrusion detection system; and the determination is whether togenerate a signal indicating that an intrusion attempt has occurred. 39.The system of claim 36, wherein the application is selected from thegroup consisting of a firewall, a proxy, and a router.